Mobile Threat Blog

Share

Android Security Update – Jan 2018

On Jan 2, 2018 Google released an Android Security Bulletin containing details of security vulnerabilities affecting Android devices. Android security updates normally include two parts: general updates that affect most users and the updates affecting specific partners, such as hardware partners like NVIDIA, Broadcom and Qualcomm. Here we’ve summarized the general security updates on the Android Security bulletin from Security Patch level 2018-01-01.

9 Denial of Service Vulnerabilities: These types of vulnerabilities disable users’ ability to use the phone or access certain services. All of them are considered high impact. Eight vulnerabilities are found in the Android media framework and one is found in system libraries (such as libnl and libskia).

7 Privilege Escalation Vulnerabilities: These types of vulnerabilities allow unprivileged processes, such as from third-party apps, to escalate privileges to the system level, bypassing the sandbox restrictions. Four are found in the Android media framework, two are found in the system libraries, and one is found in the Android runtime. All vulnerabilities are rated as high impact.

4 Remote Code Execution Vulnerabilities: These types of vulnerabilities allow attackers to execute arbitrary code on user devices. All of them are considered critical severity. Five vulnerabilities are found in the Android media framework and one is found in system libraries.

The bulletin mentions that the “Meltdown and Spectre” vulnerability does not cause unauthorized information disclosure in ARM-based Android devices. However, users are advised to update their devices with the latest security patches to reduce the risk. Google has also launched a new Pixel / Nexus Security Bulletin for Pixel and Nexus devices .

Appthority urges users to update their Android devices to the latest OS version which includes these security updates. We also recommend enterprise IT admins set strong policies against keeping outdated OS versions on their employees’ mobile devices.